EP3326104A1 - Technologien zur sicheren vertrauenswürdigen i/o-zugangskontrolle - Google Patents

Technologien zur sicheren vertrauenswürdigen i/o-zugangskontrolle

Info

Publication number
EP3326104A1
EP3326104A1 EP16828189.7A EP16828189A EP3326104A1 EP 3326104 A1 EP3326104 A1 EP 3326104A1 EP 16828189 A EP16828189 A EP 16828189A EP 3326104 A1 EP3326104 A1 EP 3326104A1
Authority
EP
European Patent Office
Prior art keywords
dma channel
computing device
trusted
core service
protect
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP16828189.7A
Other languages
English (en)
French (fr)
Other versions
EP3326104B1 (de
EP3326104A4 (de
Inventor
Bin Xing
Pradeep M. Pappachan
Siddhartha CHHABRA
Reshma LAL
Steven B. Mcgowan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intel Corp
Original Assignee
Intel Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corp filed Critical Intel Corp
Publication of EP3326104A1 publication Critical patent/EP3326104A1/de
Publication of EP3326104A4 publication Critical patent/EP3326104A4/de
Application granted granted Critical
Publication of EP3326104B1 publication Critical patent/EP3326104B1/de
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/20Handling requests for interconnection or transfer for access to input/output bus
    • G06F13/28Handling requests for interconnection or transfer for access to input/output bus using burst mode transfer, e.g. direct memory access DMA, cycle steal
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • TEE Trusted Execution Environment
  • VMs secure virtual machines
  • CSE converged security engine
  • the TEE while useful to protect secrets within the TEE, may not protect I/O data such as user and sensor data that is communicated into and/or out of the secure "container.”
  • I/O data such as user and sensor data that is communicated into and/or out of the secure "container.”
  • the security requirements for trusted I/O vary per use case and device, and involve flavors and combinations of confidentiality, integrity, liveliness, and replay protection.
  • I/O On a personal computer platform, securing I/O has several complexities. To protect I/O for a given usage, many input devices may need to be secured because the platform often has multiple devices of the same category connected via different I/O controllers, and a user may dynamically select any one of the connected devices during use. For example, when inputting text, the user may choose to use an embedded keyboard, a USB keyboard, or a Bluetooth (BT) keyboard. The user may also use a touch screen to input data. This means all keyboards and touch input may need to be secured for a usage that requires secure text input. Additionally, I/O devices may be used by secure applications and by regular applications, which means that those devices may be required to switch dynamically from being protected to being in the clear and vice versa.
  • BT Bluetooth
  • Hardware cryptographic trusted I/O provides a hardware architecture to protect I/O data for TEEs such as SGX secure enclaves, virtual machine monitors (VMMs), and other TEEs.
  • Hardware cryptographic TIO provides a mechanism to protect the I/O data using a central cryptographic engine (CE) in the direct memory access (DMA) path between the I/O device and the memory, thereby protecting the I/O data as it moves on or off the package.
  • CE central cryptographic engine
  • DMA direct memory access
  • FIG. 1 is a simplified block diagram of at least one embodiment of a computing device for trusted I/O access control
  • FIG. 2 is a simplified block diagram of at least one embodiment of an environment that may be established by the computing device of FIG. 1
  • FIG. 3 is a simplified block diagram of at least one embodiment of a system architecture that may be established by the computing device of FIGS. 1-2;
  • FIG. 4 is a simplified flow diagram of at least one embodiment of a method for trusted I O access control that may be executed by the computing device of FIGS. 1-3.
  • references in the specification to "one embodiment,” “an embodiment,” “an illustrative embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may or may not necessarily include that particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • items included in a list in the form of "at least one of A, B, and C” can mean (A); (B); (C); (A and B); (A and C); (B and C); or (A, B, and C).
  • items listed in the form of "at least one of A, B, or C” can mean (A); (B); (C); (A and B); (A and C); (B and C); or (A, B, and C).
  • the disclosed embodiments may be implemented, in some cases, in hardware, firmware, software, or any combination thereof.
  • the disclosed embodiments may also be implemented as instructions carried by or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which may be read and executed by one or more processors.
  • a machine-readable storage medium may be embodied as any storage device, mechanism, or other physical structure for storing or transmitting information in a form readable by a machine (e.g., a volatile or non-volatile memory, a media disc, or other media device).
  • a computing device 100 for secure I/O programming access control includes, among other components, a processor 120, main memory 132, a hardware cryptographic engine 140, and one or more I/O controllers 144 in communication with one or more I/O devices 146.
  • the cryptographic engine 140 provides on-the-fly encryption and decryption of data transferred via direct memory access (DMA) transactions between the I/O controllers 144 and the memory 132.
  • DMA direct memory access
  • Each DMA transaction is tagged with a channel ID (CID) representing a flow of data associated with a particular I O device 146 or set of I/O devices 146.
  • CID channel ID
  • the cryptographic engine 140 uses the CID to reliably identify transactions that must be protected, retrieve the corresponding encryption keys, and perform appropriate cryptographic operations on the DMA data.
  • the computing device 100 establishes two independent trust domains: an operating system (and/or a VMM) and a secure-enclave-based TIO stack.
  • the components of the secure-enclave-based TIO stack may trust each other using secure enclave attestation.
  • the operating system and the secure-enclave-based TIO stack may not trust each other; for example, the operating system may not decrypt encrypted I/O data, and the TIO stack may not take complete control of the I/O devices 146.
  • a privileged TIO core service is trusted by both the operating system and the secure-enclave-based TIO stack.
  • a secure application enclave may request the TIO core service to encrypt a DMA channel, and in response the TIO core service submits the request to the operating system to protect the DMA channel.
  • the request may designate a privileged delegate hosted by the TIO core service that may determine whether a user has confirmed that a secure TIO session has been terminated.
  • the computing device 100 allows the TIO core service to protect I O devices 146 on behalf of secure applications while also preventing denial of service (DoS) attacks, for example by preventing a malicious secure enclave from refusing to release an encrypted I/O device 146. Additionally, the computing device 100 may protect user input even if the original secure application crashes, while still allowing the operating system to reclaim an encrypted device.
  • DoS denial of service
  • the computing device 100 may provide flexible security by requiring only a limited number of modules (e.g., secure enclaves hosted by the TIO core service) to be trusted by the operating system, rather than requiring an extensive number of modules to be whitelisted or otherwise trusted (e.g., without requiring every secure enclave, trusted application, trusted device driver, and/or other trusted execution environment of the computing device 100 to be trusted).
  • modules e.g., secure enclaves hosted by the TIO core service
  • the computing device 100 may be embodied as any type of computation or computer device capable of performing the functions described herein, including, without limitation, a computer, a desktop computer, a workstation, a server, a laptop computer, a notebook computer, a tablet computer, a mobile computing device, a wearable computing device, a network appliance, a web appliance, a distributed computing system, a processor- based system, and/or a consumer electronic device.
  • the computing device 100 illustratively includes a processor 120, an input/output subsystem 128, a memory 132, a data storage device 134, and communication circuitry 136.
  • the computing device 100 may include other or additional components, such as those commonly found in a desktop computer (e.g., various input/output devices), in other embodiments. Additionally, in some embodiments, one or more of the illustrative components may be incorporated in, or otherwise form a portion of, another component. For example, the memory 132, or portions thereof, may be incorporated in the processor 120 in some embodiments.
  • the processor 120 may be embodied as any type of processor capable of performing the functions described herein.
  • the processor 120 may be embodied as a single or multi-core processor(s), digital signal processor, microcontroller, or other processor or processing/controlling circuit.
  • the processor 120 may include hardware virtualization support 122, secure enclave support 124, and crypto engine programming support 126.
  • the hardware virtualization support 122 supports virtualized execution of operating systems, applications, and other software by the computing device 100.
  • the hardware virtualization support 122 may include virtual machine extensions (VMX) support by providing two modes of execution: VMX-root mode and VMX non-root mode.
  • VMX-root mode allows executing software to have broad control of the computing device 100 and its hardware resources.
  • a hypervisor, virtual machine monitor (VMM), or host operating system (OS) may execute in VMX-root mode.
  • the VMX non-root mode restricts access to certain hardware instructions while still implementing the ordinary ring/privilege system of the processor 120.
  • One or more guest OSs may execute in the VMX non-root mode.
  • the hardware virtualization support 122 may also support extended page tables (EPT), which may be embodied as hardware-assisted second-level page address translation.
  • EPT extended page tables
  • the hardware virtualization support 122 may be embodied as, for example, Intel® VT-x technology.
  • the secure enclave support 124 allows the processor 120 to establish a trusted execution environment known as a secure enclave, in which executing code may be measured, verified, and/or otherwise determined to be authentic. Additionally, code and data included in the secure enclave may be encrypted or otherwise protected from being accessed by code executing outside of the secure enclave. For example, code and data included in the secure enclave may be protected by hardware protection mechanisms of the processor 120 while being executed or while being stored in certain protected cache memory of the processor 120. The code and data included in the secure enclave may be encrypted when stored in a shared cache or the main memory 132.
  • the secure enclave support 124 may be embodied as a set of processor instruction extensions that allows the processor 120 to establish one or more secure enclaves in the memory 132.
  • the secure enclave support 124 may be embodied as Intel® Software Guard Extensions (SGX) technology.
  • the crypto engine programming support 126 allows the processor 120 to program the cryptographic engine 140 to provide cryptographic protection of I/O data.
  • the processor 120 may enable or disable encryption for certain I/O channels, and may securely provide encryption keys to the cryptographic engine 140.
  • the crypto engine programming support 126 may be embodied as one or more specialized processor instructions (e.g., the instructions EBINDTIO, UNWRAP, or other instructions) and associated hardware, microcode, firmware, or other components of the processor 120.
  • the crypto engine programming support 126 of the processor 120 may allow trusted software to program the cryptographic engine 140 while preventing untrusted software from programming the cryptographic engine 140.
  • the memory 132 may be embodied as any type of volatile or non-volatile memory or data storage capable of performing the functions described herein.
  • the memory 132 may store various data and software used during operation of the computing device 100 such as operating systems, applications, programs, libraries, and drivers.
  • the memory 132 is communicatively coupled to the processor 120 via the I/O subsystem 128, which may be embodied as circuitry and/or components to facilitate input/output operations with the processor 120, the memory 132, and other components of the computing device 100.
  • the I/O subsystem 128 may be embodied as, or otherwise include, memory controller hubs, input/output control hubs, platform controller hubs, integrated control circuitry, firmware devices, communication links (i.e., point-to-point links, bus links, wires, cables, light guides, printed circuit board traces, etc.) and/or other components and subsystems to facilitate the input/output operations.
  • the I/O subsystem 128 may further include secure routing support 130.
  • the secure routing support 130 includes hardware support to ensure I/O data cannot be misrouted in the fabric 128 under the influence of rogue software.
  • the secure routing support 130 may be used with the cryptographic engine 140 to provide cryptographic protection of I/O data.
  • the I/O subsystem 128 may form a portion of a system-on-a-chip (SoC) and be incorporated, along with the processor 120, the memory 132, and other components of the computing device 100, on a single integrated circuit chip.
  • SoC system-on-a-chip
  • the data storage device 134 may be embodied as any type of device or devices configured for short-term or long-term storage of data such as, for example, memory devices and circuits, memory cards, hard disk drives, solid-state drives, or other data storage devices. In some embodiments, the data storage device 134 may be used to store the contents of one or more secure enclaves. When stored by the data storage device 134, the contents of the secure enclave may be encrypted to prevent unauthorized access.
  • the communication circuitry 136 of the computing device 100 may be embodied as any communication circuit, device, or collection thereof, capable of enabling communications between the computing device 100 and other remote devices over a network. The communication circuitry 136 may be configured to use any one or more communication technology (e.g., wired or wireless communications) and associated protocols (e.g., Ethernet, Bluetooth®, Wi-Fi®, WiMAX, etc.) to effect such communication.
  • the computing device 100 may include a security engine
  • the security engine 138 may be embodied as any hardware component(s) or circuitry capable of providing security-related services to the computing device 100.
  • the security engine 138 may include a microprocessor, microcontroller, or other embedded controller capable of executing firmware and/or other code independently and securely from the processor 120.
  • the security engine 138 may be used to establish a trusted execution environment separate from code executed by the processor 120.
  • the security engine 138 may communicate with the processor 120 and/or other components of the computing device 100 over a dedicated bus, such as a host embedded controller interface (HECI).
  • HECI host embedded controller interface
  • the security engine 138 may also provide remote configuration, control, or management of the computing device 100.
  • the security engine 138 is embodied as a converged security and manageability engine (CSME) incorporated in a system-on-a-chip (SoC) of the computing device 100.
  • the security engine 138 may be embodied as a manageability engine, an out-of-band processor, a Trusted Platform Module (TPM), or other security engine device or collection of devices.
  • the security engine 138 is also capable of communicating using the communication circuitry 136 or a dedicated communication circuit independently of the state of the computing device 100 (e.g., independently of the state of the main processor 120), also known as "out-of-band" communication.
  • the cryptographic engine 140 may be embodied as any microcontroller, microprocessor, functional block, logic, or other circuit or collection of circuits capable of performing the functions described herein.
  • the cryptographic engine 140 may encrypt and/or decrypt I/O data read or written by the I/O controllers 144 in one or more direct memory access (DMA) operations to the memory 132.
  • the cryptographic engine 140 includes an internal channel identifier (CID) table 142, which the cryptographic engine 140 uses to dynamically identify DMA channel(s) to be protected.
  • the CID table 142 may be controlled and/or programmed by trusted software, for example using the crypto engine programming support 126 of the processor 120.
  • the encryption keys and/or other secret information of the CID table 142 are not available to untrusted software.
  • the cryptographic engine 140 may be incorporated along with the I/O subsystem 128 and/or the processor 120 in a system-on-a-chip (SoC) of the computing device 100.
  • SoC system-on-a-chip
  • the I/O controllers 144 may be embodied as any embedded controller, microcontroller, microprocessor, functional block, logic, or other circuit or collection of circuits capable of performing the functions described herein.
  • one or more of the I/O controllers 144 may be embedded in another component of the computing device 100 such as the I/O subsystem 128 and/or the processor 120.
  • one or more of the I/O controllers 144 may be connected to the I/O subsystem 128 and/or the processor 120 via an expansion bus such as PCI Express (PCIe) or other I/O connection.
  • PCIe PCI Express
  • the I/O controllers 144 communicate with one or more I/O devices 146, for example over a peripheral communications bus (e.g., USB, Bluetooth, etc.).
  • the I/O devices 146 may be embodied as any I/O device, such as human interface devices, keyboards, mice, touch screens, microphones, cameras, and other input devices, as well as displays and other output devices.
  • the I/O controllers 144 and associated DMA channels are uniquely identified using identifiers called channel identifiers (CIDs).
  • Each I/O controller 144 may assert an appropriate CID with every DMA transaction, for example as part of a transaction layer packet (TLP) prefix, to uniquely identify the source of the DMA transaction and provide liveness protections.
  • TLP transaction layer packet
  • the CID also enables the isolation of I/O from different devices 146.
  • the cryptographic engine 140 may snoop all DMA transactions generated by the I/O controllers 144 to the memory 132. On each transaction to or from a device 146 capable of participating in trusted I/O, the cryptographic engine 140 references the CID table 142 to find the CID corresponding to the DMA channel in the CID table 142. A match indicates that the channel is currently protected and that the cryptographic engine 140 should use the channel key associated with the channel to protect the data written to and/or the data read from memory 132 (depending on the direction of the channel).
  • the computing device in an illustrative embodiment, the computing device
  • the illustrative environment 200 includes a common trust module 202, an access control module 204, and a programming module 206.
  • the various modules of the environment 200 may be embodied as hardware, firmware, microcode, software, or a combination thereof.
  • one or more of the modules of the environment 200 may be embodied as circuitry or collection of electrical devices (e.g., common trust circuitry 202, access control circuitry 204, and/or programming circuitry 206).
  • one or more of the common trust circuitry 202, the access control circuitry 204, and/or the programming circuitry 206 may form a portion of one or more of the processor 120, the I/O subsystem 128, the cryptographic engine 140, and/or other components of the computing device 100. Additionally, in some embodiments, one or more of the illustrative modules may form a portion of another module and/or one or more of the illustrative modules may be independent of one another.
  • the common trust module 202 is configured to execute a trusted I/O core service.
  • the trusted I/O core service has a cryptographic engine programming privileged granted by an operating system of the computing device 100.
  • the common trust module 202 is further configured to receive a request from an application to protect a DMA channel associated with an I/O device 146.
  • the application does not have the cryptographic engine programming privilege.
  • the common trust module 202 may be further configured to receive, by the trusted I/O core service from the operating system, a request to unprotect the DMA channel, to determine, by a privileged delegate associated with the DMA channel, whether a user of the computing device 100 has confirmed termination of protection of the DMA channel, and to unprotect, by the trusted I/O core service, the DMA channel if the user confirms the termination.
  • the privileged delegate is established by the trusted I/O core service.
  • the common trust module 202 is further configured to generate, by a cryptographic engine enclave (CEE), a channel encryption key in response to receiving the request to protect the DMA channel.
  • CEE cryptographic engine enclave
  • the CEE is established by the trusted I/O core service and protected using the secure enclave support 124 of the processor 120.
  • the common trust module 202 may be further configured to wrap, by the CEE, the channel encryption key to generate wrapped programming information, for example by executing an EBINDTIO instruction of the processor 120.
  • the access control module 204 is configured to receive, by the operating system, a request from the trusted I/O core service to protect the DMA channel in response to the trusted I/O core service receiving the request from the application.
  • the access control module 204 is further configured to verify, by the operating system, the cryptographic engine programming privilege of the trusted I/O core service in response to receiving the request to protect the DMA channel.
  • the access control module 204 may be further configured to determine, by the operating system, whether to unprotect the DMA and to request the trusted I/O core service to unprotect the DMA channel.
  • the programming module 206 is configured to program the cryptographic engine 140 to protect the DMA channel in response to verifying the cryptographic engine programming privilege of the trusted I/O core service.
  • the programming module 206 may be further configured to unwrap, by the operating system, the wrapped programming information to generate unwrapped programming information.
  • the programming module 206 may be configured to unwrap the wrapped programming information and program the unwrapped programming information to the cryptographic engine 140, for example by executing an UNWRAP instruction of the processor 120.
  • diagram 300 illustrates a system architecture that may be established by the computing device 100.
  • the system architecture includes a trusted I/O (TIO) core service 302, which may be embodied as an application, server, daemon, or other user-level process of the computing device 100.
  • TIO trusted I/O
  • the TIO core service 302 has a cryptographic engine programming privilege recognized by an operating system 316 and thus is allowed to control the cryptographic engine 140.
  • the TIO core service 302 may be embodied as a privileged process in the sense that it is allowed to program the cryptographic engine 140 by instructing a kernel-mode driver (e.g., a cryptographic engine driver (CED) 318) to program the cryptographic engine 140.
  • a kernel-mode driver e.g., a cryptographic engine driver (CED) 31
  • the TIO core service 302 hosts several secure enclaves that inherit the privileges of the TIO core service 302. Each of the secure enclaves may be embodied as user- level code (e.g., ring-3 code) protected by the secure enclave support 124 of the processor 120.
  • the TIO core service 302 establishes a crypto engine enclave (CEE) 304, one or more privileged device driver enclaves (DDEs) 306, and one or more privileged delegates 308.
  • CEE crypto engine enclave
  • DDEs privileged device driver enclaves
  • the CEE 304 generates, maintains, or otherwise has access to encryption keys associated with one or more DMA channels.
  • the CEE 304 programs the cryptographic engine 140 with channel encryption keys using the crypto engine programming support 126 of the processor 120.
  • the CEE 304 may execute one or more specialized processor instructions such as EBINDTIO to prepare binary data including wrapped channel programming information, including wrapped encryption keys that may be used to program the cryptographic engine 140.
  • Each of privileged DDEs 306 may be embodied as a secure enclave that manages a specific I/O device 146 or a specific class of I/O devices 146, similar to an untrusted device driver.
  • an HID DDE 306 may parse human interface device (HID) reports.
  • HID human interface device
  • each of the privileged delegates 308 may be embodied as a privileged DDE 306 that is authorized to determine on behalf of another software component whether it is secure to unprotect a particular DMA channel.
  • the TIO core service 302 may also establish additional secure enclaves used to enumerate, attest, and verify the I/O devices 146 of the computing device 100, such as a platform enumerator enclave and/or one or more secure bus enumerators.
  • the TIO core service 302 and its components are trusted by an operating system 316 of the computing device 100, and for example, may be provided or otherwise verified by the vendor of the operating system 316.
  • the system architecture may further include one or more unprivileged applications 310 and associated application enclaves 312 as well as one or more unprivileged DDEs 314.
  • the unprivileged application enclaves 312 and/or the unprivileged DDEs 314 are not permitted to program the cryptographic engine 140 or otherwise access the CED 318 directly. Rather, the unprivileged application enclaves 312 and/or the unprivileged DDEs 314 may request the TIO core service 302 to establish one or more secure DMA channels that may be used for secure I/O with the associated I/O devices 146.
  • the unprivileged application enclaves 312 and/or the unprivileged DDEs 314 may be required to specify a privileged delegate 308 when requesting to encrypt a DMA channel.
  • the privileged DDEs 306 established by the TIO core service 302 are allowed to encrypt DMA channels without specifying a delegate 308.
  • the system architecture further includes an operating system 316 and a crypto engine driver (CED) 318).
  • the operating system 316 establishes a separate trust domain from the trusted I/O components of the computing device 100.
  • the operating system 316 may not have access to the secure internal state of secure enclaves protected by the secure enclave support 124, such as the CEE 304, the privileged DDEs 306, the delegates 308, the application enclave 312, and/or the unprivileged DDEs 314.
  • the CED 318 may be embodied as a kernel module, kernel process, or other kernel-mode code (e.g., ring-0 code) of the computing device 100.
  • the CED 318 provides wrapped programming information to the unwrapping engine 320, which may unwrap and verify the programming information and, if verified, program the channel programming information to the cryptographic engine 140.
  • the CED 318 may restrict access to the unwrapping engine 320, for example by verifying that requests to unwrap the wrapped programming information originate from the TIO core service 302 or other privileged component of the computing device 100.
  • the unwrapping engine 320 is embodied as hardware and/or microcode resources of the processor 120.
  • the CED 318 may invoke one or more specialized, kernel-level processor instructions of the processor 120 such as an UNWRAP instruction.
  • the functions of the unwrapping engine 320 may be performed by the cryptographic engine 140 and/or other components of the computing device 100.
  • the illustrative embodiment discloses hardware cryptographic TIO using secure- enclave-based trusted execution environments (TEEs), as compared to VMM-based TEEs, for example. It should be understood that although the illustrative embodiment describes a secure- enclave-based TIO embodiment, this disclosure also applies to embodiments in which two or more trust domains coexist yet do not trust each other, or do not have sufficient information to act on behalf of each other (for example, VTIO and/or VSM by Microsoft®).
  • TEEs secure- enclave-based trusted execution environments
  • the computing device 100 may execute a method 400 for secure access control to the cryptographic engine 140.
  • the method 400 begins with block 402, in which the computing device 100 installs the TIO core service 302 with one or more operating system 316 privileges.
  • the TIO core service 302 is installed with privileges to access the CED 318 or otherwise control programming of the cryptographic engine 140.
  • the TIO core service 302 may be embodied as an operating system 316 process with a role-based privilege that may be inherited by any secure enclaves hosted by the TIO core service 302.
  • the privilege associated with the TIO core service 302 may be assigned at installation time by a system administrator (for Microsoft® WindowsTM operating systems 316), by the root user (for Linux® operating systems 316), or by another administrative role.
  • the privilege associated with the TIO core service 302 may be embodied as a particular user and/or as membership in a particular group. For example, on a Linux-based operating system 316, during installation of the TIO core service 302, a special group (e.g., "sgxio_core”) and a user (e.g., with the same name "sgxio_core”) in that group may be created.
  • the CED 318 may create one or more device nodes to receive system calls (e.g., IOCTLs) and may set permissions on each device node to require membership in the associated group.
  • a device node "/dev/sgxio_core” may be created with ownership set to user “root” and group “sgxio_core” and with permissions set to "rw-rw— " (user and group read/writable), which may allow only root and members of the "sgxio_core” group to send IOCTLs to the CED 318.
  • the computing device 100 executes the TIO core service 302 with the associated operating system 316 privileges.
  • the computing device 100 may execute the TIO core service 302 process to run in the user account "sgxio_core" in the group "sgxio_core,” as described above.
  • the TIO core service 302 may create or otherwise host one or more secure enclaves such as the CEE 304, one or more privileged DDEs 306, and/or one or more privileged delegates 308 that each inherit one or more operating system 316 privileges of the TIO core service 302.
  • each of the secure enclaves may also execute in the user account "sgxio_core" as described above.
  • unprivileged software such as an application enclave 312 and/or
  • DDE 314 requests the TIO core service 302 for an encrypted DMA channel with an I/O device 146 or class of I/O devices 146.
  • an application enclave 312 may request secure keyboard input from one or more keyboards 146 of the computing device 100.
  • the unprivileged software may not have the privilege required to access the CED 318 or otherwise control programming of the cryptographic engine 140.
  • an unprivileged application enclave 312 may execute in an ordinary user account that is not included in the "sgxio_core" group and thus does not have the ability to send IOCTLs to the CED 318.
  • the request may specify a privileged delegate 308.
  • each privileged delegate 308 may securely determine whether a user has confirmed termination of the TIO session (i.e., confirmed that protection of a DMA channel is to be terminated).
  • Each privileged delegate 308 is hosted by the TIO core service 302 and thus inherits the cryptographic engine 140 programming privilege of the TIO core service 302. Accordingly, each privileged delegate 308 is trusted by the TIO stack (e.g., by the TIO core service 302 and related components) not to unprotect a DMA channel improperly in order to purposefully leave confidential user input in the clear.
  • the computing device 100 may use a default privileged delegate 308 and/or a system-wide privileged delegate 308 that is used for all applications.
  • the computing device 100 may use a delegate 308 that monitors for a particular secure keyboard input (e.g., CTRL-ALT-DEL on traditional PC systems).
  • a particular secure keyboard input e.g., CTRL-ALT-DEL on traditional PC systems.
  • the request for secure I/O may not expressly identify a delegate 308.
  • the CEE 304 generates a channel encryption key to protect the requested DMA channel.
  • the encryption key may be derived using a processor instruction such as EGETKEY with random seed values (i.e., the "KEY ID" parameter to EGETKEY), which ties the derived keys to the identity of the CEE 304.
  • the CEE 304 is trusted to never give out encryption keys to any other software entities except for the requesting enclave (e.g., the application enclave 312 and/or the unprivileged DDE 314).
  • the CEE 304 may provide the random seed value to untrusted software (i.e., untrusted from the TIO stack's perspective) for backup purposes.
  • the CEE 304 may provide the random seed value to the application enclave 312, to the operating system 316, or to another untrusted entity. If the CEE 304 crashes, upon restart the CEE 304 may re-generate the channel encryption keys securely using the random seed value.
  • the CEE 304 wraps channel programming information and invokes the CED 318 to protect the DMA channel.
  • the channel programming information may include the encryption key as determined in block 410 as well as other programming information such as the channel identifier (CID) of the DMA channel to be programmed, a programming command, a random nonce that may be used for authentication and replay protection, and other programming information.
  • CID channel identifier
  • the channel programming information may be stored in a binary structure such as a BIND_STRUCT structure.
  • the CEE 304 may invoke a processor instruction of the processor 120 such as EBINDTIO to generate the wrapped programming information.
  • the wrapped programming information may include the channel programming key encrypted with a key known by the unwrapping engine 320.
  • the CEE 304 may provide the wrapped programming information to the CED 318, for example by invoking one or more system calls (e.g., IOCTLs) or other privileged functions of the computing device 100.
  • the CED 318 verifies the cryptographic engine 140 programming privilege of the TIO core service 302 and, if successful, programs the cryptographic engine 140.
  • the CED 318 may verify the privilege of the TIO core service 302 by requiring a particular group membership or other role-based privilege to access a system call interface of the CED 318. For example, the permissions of the device node associated with the CED 318 may require membership in the "sgxio_core" group.
  • the CED 318 may invoke a processor instruction of the processor 120 such as UNWRAP to unwrap the programming information and securely program the DMA channel.
  • the UNWRAP instruction may cause the unwrapping engine 320 of the processor 120 to decrypt the wrapped channel programming key, verify the channel programming information, and copy the unwrapped channel programming information to the cryptographic engine 140.
  • the cryptographic engine 140 protects channel communications between the unprivileged software and the I/O device 146.
  • the cryptographic engine 140 may intercept direct memory access (DMA) transactions and encrypt I/O data exchanged between an I/O device 146 and an unprivileged application enclave 312 and/or unprivileged DDE 314.
  • DMA direct memory access
  • the computing device 100 determines whether to reclaim the I/O device 146 associated with the protected DMA channel. For example, the operating system 316 may determine to reclaim the I/O device 146 if the associated unprivileged software (e.g., the application enclave 312 and/or the unprivileged DDE 314) crashes or otherwise terminates. If the I/O device 146 is not reclaimed in such circumstances, DMA transactions with that I/O device 146 may remain encrypted until the computing device 100 is reset, making the I/O device 146 unavailable to other applications and thus causing a denial of service.
  • the unprivileged software e.g., the application enclave 312 and/or the unprivileged DDE 314
  • the method 400 loops back to block 418 and the cryptographic engine 140 continues to protect the DMA channel. If the computing device 100 determines to reclaim the I/O device 146, the method 400 advances to block 422.
  • the operating system 316 requests the TIO core service 302 to unprotect the DMA channel associated with the I/O device 146 to be reclaimed.
  • the operating system 316 may, for example, send a message to the TIO core service 302 using an interprocess communication facility or otherwise invoke the TIO core service 302.
  • the privileged delegate 308 associated with that DMA channel prompts the user to confirm termination of the TIO session.
  • the operating system 316 may prompt the user on behalf of the delegate 308.
  • the delegate 308 may use any appropriate technique to securely (i.e., without receiving unprotected user input over the DMA channel) confirm termination with the user.
  • the delegate 308 may decide whether it is secure to unprotect the I/O device 146 without knowing anything about the crashed application enclave 312 and/or DDE 314.
  • a secure technique to receive confirmation from the human user may be to receive the confirmation through a different encrypted I/O device 146.
  • the privileged delegate 308 and/or the operating system 316 may display a message to the user and then the privileged delegate 308 may receive confirming user input through another encrypted input device 146, for example by receiving protected user input via a different DMA channel.
  • a computing device 100 having a keyboard 146 may receive the confirmation as a special combination of keys, so that it is considered "secure" to unprotect the DMA channel when the human user presses that combination of keys (e.g., similar to pressing CTRL+ALT+DEL to bring up a graphical login interface).
  • the privileged delegate 308 determines whether the user has confirmed that the TIO session is terminated.
  • the delegate 308 may consider it secure to unprotect the I/O device 146 after receiving the acknowledgement from the human user, who is considered to have stopped feeding sensitive input data to the I/O device 146 before making the acknowledgement. If the user has not confirmed, the method 400 loops back to block 424 to continue monitoring for user confirmation. While monitoring for user confirmation, the DMA channel and the associated input data remain protected. If the user has confirmed that the TIO session is terminated, the method 400 advances to block 428.
  • the CEE 304 unprotects the DMA channel associated with the I/O device 146 to be reclaimed.
  • the CEE 304 may perform operations similar to the request to protect the DMA channel described above in connection with blocks 414 to 416.
  • the CEE 304 may generate wrapped programming information and submit the wrapped programming information to the CED 318, which may unwrap the programming information and program the cryptographic engine 140 to unprotect the DMA channel.
  • the encryption key used to protect the DMA channel may be required to generate the wrapped programming information to unprotect the DMA channel.
  • the CEE 304 and/or other components of the TIO stack may retain a copy of the encryption key or otherwise have access to the encryption key associated with each DMA channel.
  • I/O data may be communicated between the I/O device 146 and the memory 132 in the clear, and the method 400 loops back to block 406 to monitor for additional requests to protect DMA channels.
  • the method 400 may be embodied as various instructions stored on a computer-readable media, which may be executed by the processor 120 and/or other components of the computing device 100 to cause the computing device 100 to perform the corresponding method 400.
  • the computer-readable media may be embodied as any type of media capable of being read by the computing device 100 including, but not limited to, the memory 132, the data storage device 134, other memory or data storage devices of the computing device 100, portable media readable by a peripheral device of the computing device 100, and/or other media.
  • An embodiment of the technologies may include any one or more, and any combination of, the examples described below.
  • Example 1 includes a computing device for trusted I/O access control, the computing device comprising: a common trust module to (i) execute a trusted I/O core service, wherein the trusted I/O core service has a cryptographic engine programming privileged granted by an operating system of the computing device, and (ii) receive a request from an application to protect a DMA channel associated with an I/O device of the computing device, wherein the application does not have the cryptographic engine programming privilege; an access control module to (i) receive, by the operating system, a request from the trusted I/O core service to protect the DMA channel in response to receipt of the request from the application to protect the DMA channel, and (ii) verify, by the operating system, the cryptographic engine programming privilege of the trusted I O core service in response to receipt of the request to protect the DMA channel; and a programming module to program a cryptographic engine of the computing device to protect the DMA channel in response to verification of the cryptographic engine programming privilege of the trusted I/O core service.
  • a common trust module to (i)
  • Example 2 includes the subject matter of Example 1, and further comprising a processor with secure enclave support, wherein the application comprises a secure enclave established with the secure enclave support of the processor.
  • Example 3 includes the subject matter of any of Examples 1 and 2, and wherein the operating system comprises a cryptographic engine driver.
  • Example 4 includes the subject matter of any of Examples 1-3, and wherein the common trust module is further to: receive, by the trusted I/O core service from the operating system, a request to unprotect the DMA channel in response to programming of the cryptographic engine to protect the DMA channel; determine, by a privileged delegate associated with the DMA channel, whether a user of the computing device has confirmed termination of protection of the DMA channel in response to receipt of the request to unprotect the DMA channel, wherein the privileged delegate is established by the trusted I/O core service; and unprotect, by the trusted I/O core service, the DMA channel in response to a determination that the user has confirmed termination of protection of the DMA channel.
  • Example 5 includes the subject matter of any of Examples 1-4, and wherein to determine whether the user of the computing device has confirmed termination of protection of the DMA channel comprises to receive protected user input via a protected DMA channel of the computing device.
  • Example 6 includes the subject matter of any of Examples 1-5, and wherein to receive the protected user input via the protected DMA channel comprises to receive the protected user input via a second DMA channel, wherein the second DMA channel is different from the DMA channel of the request to unprotect the DMA channel.
  • Example 7 includes the subject matter of any of Examples 1-6, and wherein to receive the request to protect the DMA channel comprises to receive a request that identifies the privileged delegate.
  • Example 8 includes the subject matter of any of Examples 1-7, and further comprising a processor with secure enclave support, wherein the privileged delegate comprises a secure enclave established with the secure enclave support of the processor.
  • Example 9 includes the subject matter of any of Examples 1-8, and wherein the access control module is further to: determine, by the operating system, whether to unprotect the DMA channel in response to the programming of the cryptographic engine to protect the
  • Example 10 includes the subject matter of any of Examples 1-9, and wherein to determine whether to unprotect the DMA channel comprises to determine whether the application has terminated.
  • Example 11 includes the subject matter of any of Examples 1-10, and wherein the common trust module is further to (i) generate, by a cryptographic engine enclave (CEE) established by the trusted I/O core service, a channel encryption key in response to receipt of the request to protect the DMA channel, and (ii) wrap, by the CEE, the channel encryption key to generate wrapped programming information; and to receive the request from the trusted I/O core service to protect the DMA channel comprises to receive the wrapped programming information from the trusted I/O core service.
  • CEE cryptographic engine enclave
  • Example 12 includes the subject matter of any of Examples 1-11, and wherein to wrap the channel encryption key comprises to invoke a processor instruction of a processor of the computing device to generate the wrapped programming information.
  • Example 13 includes the subject matter of any of Examples 1-12, and wherein to generate the channel encryption key comprises to: generate a random seed used to generate the channel encryption key; and provide the random seed to untrusted software of the computing device.
  • Example 14 includes the subject matter of any of Examples 1-13, and wherein: the programming module is further to unwrap, by the operating system, the wrapped programming information to generate unwrapped programming information in response to receipt of the wrapped programming information; and to program the cryptographic engine comprises to program the cryptographic engine with the unwrapped programming information to protect the DMA channel in response to an unwrap of the wrapped programming information.
  • Example 15 includes the subject matter of any of Examples 1-14, and wherein to unwrap the wrapped programming information comprises to invoke a processor instruction of a processor of the computing device to generate the unwrapped programming information.
  • Example 16 includes a method for trusted I/O access control, the method comprising: executing, by a computing device, a trusted I/O core service, wherein the trusted I/O core service has a cryptographic engine programming privileged granted by an operating system of the computing device; receiving, by the trusted I/O core service, a request from an application to protect a DMA channel associated with an I/O device of the computing device, wherein the application does not have the cryptographic engine programming privilege; receiving, by the operating system, a request from the trusted I/O core service to protect the DMA channel in response to receiving the request from the application to protect the DMA channel; verifying, by the operating system, the cryptographic engine programming privilege of the trusted I/O core service in response to receiving the request to protect the DMA channel; and programming, by the operating system, a cryptographic engine of the computing device to protect the DMA channel in response to verifying the cryptographic engine programming privilege of the trusted I/O core service.
  • Example 17 includes the subject matter of Example 16, and wherein the application comprises a secure enclave established with secure enclave support of a processor of the computing device.
  • Example 18 includes the subject matter of any of Examples 16 and 17, and wherein the operating system comprises a cryptographic engine driver.
  • Example 19 includes the subject matter of any of Examples 16-18, and further comprising: receiving, by the trusted I/O core service from the operating system, a request to unprotect the DMA channel in response to programming the cryptographic engine to protect the DMA channel; determining, by a privileged delegate associated with the DMA channel, whether a user of the computing device has confirmed termination of protection of the DMA channel in response to receiving the request to unprotect the DMA channel, wherein the privileged delegate is established by the trusted I/O core service; and unprotecting, by the trusted I/O core service, the DMA channel in response to determining that the user has confirmed termination of protection of the DMA channel.
  • Example 20 includes the subject matter of any of Examples 16-19, and wherein determining whether the user of the computing device has confirmed termination of protection of the DMA channel comprises receiving protected user input via a protected DMA channel of the computing device.
  • Example 21 includes the subject matter of any of Examples 16-20, and wherein receiving the protected user input via the protected DMA channel comprises receiving the protected user input via a second DMA channel, wherein the second DMA channel is different from the DMA channel of the request to unprotect the DMA channel.
  • Example 22 includes the subject matter of any of Examples 16-21, and wherein receiving the request to protect the DMA channel comprises receiving a request that identifies the privileged delegate.
  • Example 23 includes the subject matter of any of Examples 16-22, and wherein the privileged delegate comprises a secure enclave established with secure enclave support of a processor of the computing device.
  • Example 24 includes the subject matter of any of Examples 16-23, and further comprising: determining, by the operating system, whether to unprotect the DMA channel in response to programming the cryptographic engine to protect the DMA channel; and requesting, by the operating system, the trusted I/O core service to unprotect the DMA channel in response to determining to unprotect the DMA channel.
  • Example 25 includes the subject matter of any of Examples 16-24, and wherein determining whether to unprotect the DMA channel comprises determining whether the application has terminated.
  • Example 26 includes the subject matter of any of Examples 16-25, and further comprising: generating, by a cryptographic engine enclave (CEE) established by the trusted I/O core service, a channel encryption key in response to receiving the request to protect the DMA channel; and wrapping, by the CEE, the channel encryption key to generate wrapped programming information; wherein receiving the request from the trusted I/O core service to protect the DMA channel comprises receiving the wrapped programming information from the trusted I/O core service.
  • CEE cryptographic engine enclave
  • Example 27 includes the subject matter of any of Examples 16-26, and wherein wrapping the channel encryption key comprises invoking a processor instruction of a processor of the computing device to generate the wrapped programming information.
  • Example 28 includes the subject matter of any of Examples 16-27, and wherein generating the channel encryption key comprises: generating a random seed used to generate the channel encryption key; and providing the random seed to untrusted software of the computing device.
  • Example 29 includes the subject matter of any of Examples 16-28, and further comprising: unwrapping, by the operating system, the wrapped programming information to generate unwrapped programming information in response to receiving the wrapped programming information; wherein programming the cryptographic engine comprises programming the cryptographic engine with the unwrapped programming information to protect the DMA channel in response to unwrapping the wrapped programming information.
  • Example 30 includes the subject matter of any of Examples 16-29, and wherein unwrapping the wrapped programming information comprises invoking a processor instruction of a processor of the computing device to generate the unwrapped programming information.
  • Example 31 includes a computing device comprising: a processor; and a memory having stored therein a plurality of instructions that when executed by the processor cause the computing device to perform the method of any of Examples 16-30.
  • Example 32 includes one or more machine readable storage media comprising a plurality of instructions stored thereon that in response to being executed result in a computing device performing the method of any of Examples 16-30.
  • Example 33 includes a computing device comprising means for performing the method of any of Examples 16-30.
  • Example 34 includes a computing device for trusted I/O access control, the computing device comprising: means for executing a trusted I/O core service, wherein the trusted I/O core service has a cryptographic engine programming privileged granted by an operating system of the computing device; means for receiving, by the trusted I/O core service, a request from an application to protect a DMA channel associated with an I/O device of the computing device, wherein the application does not have the cryptographic engine programming privilege; means for receiving, by the operating system, a request from the trusted I/O core service to protect the DMA channel in response to receiving the request from the application to protect the DMA channel; means for verifying, by the operating system, the cryptographic engine programming privilege of the trusted I/O core service in response to receiving the request to protect the DMA channel; and means for programming, by the operating system, a cryptographic engine of the computing device to protect the DMA channel in response to verifying the cryptographic engine programming privilege of the trusted I/O core service.
  • Example 35 includes the subject matter of Example 34, and wherein the application comprises a secure enclave established with secure enclave support of a processor of the computing device.
  • Example 36 includes the subject matter of any of Examples 34 and 35, and wherein the operating system comprises a cryptographic engine driver.
  • Example 37 includes the subject matter of any of Examples 34-36, and further comprising: means for receiving, by the trusted I/O core service from the operating system, a request to unprotect the DMA channel in response to programming the cryptographic engine to protect the DMA channel; means for determining, by a privileged delegate associated with the DMA channel, whether a user of the computing device has confirmed termination of protection of the DMA channel in response to receiving the request to unprotect the DMA channel, wherein the privileged delegate is established by the trusted I/O core service; and means for unprotecting, by the trusted I/O core service, the DMA channel in response to determining that the user has confirmed termination of protection of the DMA channel.
  • Example 38 includes the subject matter of any of Examples 34-37, and wherein the means for determining whether the user of the computing device has confirmed termination of protection of the DMA channel comprises means for receiving protected user input via a protected DMA channel of the computing device.
  • Example 39 includes the subject matter of any of Examples 34-38, and wherein the means for receiving the protected user input via the protected DMA channel comprises means for receiving the protected user input via a second DMA channel, wherein the second DMA channel is different from the DMA channel of the request to unprotect the DMA channel.
  • Example 40 includes the subject matter of any of Examples 34-39, and wherein the means for receiving the request to protect the DMA channel comprises means for receiving a request that identifies the privileged delegate.
  • Example 41 includes the subject matter of any of Examples 34-40, and wherein the privileged delegate comprises a secure enclave established with secure enclave support of a processor of the computing device.
  • Example 42 includes the subject matter of any of Examples 34-41, and further comprising: means for determining, by the operating system, whether to unprotect the DMA channel in response to programming the cryptographic engine to protect the DMA channel; and means for requesting, by the operating system, the trusted I/O core service to unprotect the DMA channel in response to determining to unprotect the DMA channel.
  • Example 43 includes the subject matter of any of Examples 34-42, and wherein the means for determining whether to unprotect the DMA channel comprises means for determining whether the application has terminated.
  • Example 44 includes the subject matter of any of Examples 34-43, and further comprising: means for generating, by a cryptographic engine enclave (CEE) established by the trusted I/O core service, a channel encryption key in response to receiving the request to protect the DMA channel; and means for wrapping, by the CEE, the channel encryption key to generate wrapped programming information; wherein the means for receiving the request from the trusted I/O core service to protect the DMA channel comprises means for receiving the wrapped programming information from the trusted I/O core service.
  • CEE cryptographic engine enclave
  • Example 45 includes the subject matter of any of Examples 34-44, and wherein the means for wrapping the channel encryption key comprises means for invoking a processor instruction of a processor of the computing device to generate the wrapped programming information.
  • Example 46 includes the subject matter of any of Examples 34-45, and wherein the means for generating the channel encryption key comprises: means for generating a random seed used to generate the channel encryption key; and means for providing the random seed to untrusted software of the computing device.
  • Example 47 includes the subject matter of any of Examples 34-46, and further comprising: means for unwrapping, by the operating system, the wrapped programming information to generate unwrapped programming information in response to receiving the wrapped programming information; wherein the means for programming the cryptographic engine comprises means for programming the cryptographic engine with the unwrapped programming information to protect the DMA channel in response to unwrapping the wrapped programming information.
  • Example 48 includes the subject matter of any of Examples 34-47, and wherein the means for unwrapping the wrapped programming information comprises means for invoking a processor instruction of a processor of the computing device to generate the unwrapped programming information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
EP16828189.7A 2015-07-20 2016-06-20 Technologien zur sicheren vertrauenswürdigen i/o-zugangskontrolle Active EP3326104B1 (de)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US201562194763P 2015-07-20 2015-07-20
US201562195148P 2015-07-21 2015-07-21
US201562198201P 2015-07-29 2015-07-29
US14/974,944 US10552619B2 (en) 2015-07-20 2015-12-18 Technologies for secure trusted I/O access control
PCT/US2016/038394 WO2017014887A1 (en) 2015-07-20 2016-06-20 Technologies for secure trusted i/o access control

Publications (3)

Publication Number Publication Date
EP3326104A1 true EP3326104A1 (de) 2018-05-30
EP3326104A4 EP3326104A4 (de) 2019-03-20
EP3326104B1 EP3326104B1 (de) 2019-10-09

Family

ID=57835222

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16828189.7A Active EP3326104B1 (de) 2015-07-20 2016-06-20 Technologien zur sicheren vertrauenswürdigen i/o-zugangskontrolle

Country Status (4)

Country Link
US (1) US10552619B2 (de)
EP (1) EP3326104B1 (de)
CN (1) CN108140094B (de)
WO (1) WO2017014887A1 (de)

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10552619B2 (en) * 2015-07-20 2020-02-04 Intel Corporation Technologies for secure trusted I/O access control
EP3420465B1 (de) * 2016-02-25 2021-12-08 INTEL Corporation Plattform zur mobile-edge-datenverarbeitung
US10867029B2 (en) * 2017-01-24 2020-12-15 Microsoft Technology Licensing, Llc Enclave client abstraction model
US10372945B2 (en) * 2017-01-24 2019-08-06 Microsoft Technology Licensing, Llc Cross-platform enclave identity
US10558812B2 (en) 2017-06-21 2020-02-11 Microsoft Technology Licensing, Llc Mutual authentication with integrity attestation
US10938560B2 (en) 2017-06-21 2021-03-02 Microsoft Technology Licensing, Llc Authorization key escrow
US12256024B2 (en) 2017-06-21 2025-03-18 Microsoft Technology Licensing, Llc Device provisioning
US10440006B2 (en) 2017-06-21 2019-10-08 Microsoft Technology Licensing, Llc Device with embedded certificate authority
US10296741B2 (en) 2017-07-27 2019-05-21 International Business Machines Corporation Secure memory implementation for secure execution of virtual machines
US10387686B2 (en) 2017-07-27 2019-08-20 International Business Machines Corporation Hardware based isolation for secure execution of virtual machines
US11374760B2 (en) 2017-09-13 2022-06-28 Microsoft Technology Licensing, Llc Cyber physical key
US11403005B2 (en) * 2017-09-29 2022-08-02 Intel Corporation Cryptographic memory ownership
US11461460B2 (en) * 2017-12-04 2022-10-04 British Telecommunications Public Limited Company Software container application encryption
CN108614968B (zh) * 2018-05-04 2020-11-24 飞天诚信科技股份有限公司 一种在通用平台下安全交互的方法及智能终端
US11386017B2 (en) 2018-06-20 2022-07-12 Intel Corporation Technologies for secure authentication and programming of accelerator devices
CN109947666B (zh) * 2019-02-27 2023-04-25 余炀 可信执行环境缓存隔离方法及装置、电子设备和存储介质
US11205003B2 (en) 2020-03-27 2021-12-21 Intel Corporation Platform security mechanism
CN111859396B (zh) * 2020-07-21 2023-10-03 中国人民解放军国防科技大学 支持通用/可信双计算体系的软硬协同多层次密码服务方法及系统
CN114385529B (zh) * 2020-10-16 2024-11-01 瑞昱半导体股份有限公司 直接记忆体存取控制器、使用其之电子装置以及操作其的方法
US12045337B2 (en) 2021-05-21 2024-07-23 Samsung Electronics Co., Ltd. Apparatus and method for providing secure execution environment for NPU
US12373580B2 (en) * 2022-11-22 2025-07-29 Dell Products, L.P. Using an embedded controller (EC) integrated into a heterogeneous computing platform as a trusted platform module (TPM)

Family Cites Families (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6901491B2 (en) * 2001-10-22 2005-05-31 Sun Microsystems, Inc. Method and apparatus for integration of communication links with a remote direct memory access protocol
US7975117B2 (en) * 2003-03-24 2011-07-05 Microsoft Corporation Enforcing isolation among plural operating systems
CN1280754C (zh) * 2003-09-29 2006-10-18 中国科学院沈阳自动化研究所 嵌入式网络化远程输入输出系统
US7685436B2 (en) * 2003-10-02 2010-03-23 Itt Manufacturing Enterprises, Inc. System and method for a secure I/O interface
US7734933B1 (en) * 2005-06-17 2010-06-08 Rockwell Collins, Inc. System for providing secure and trusted computing environments through a secure computing module
US8156259B2 (en) * 2005-07-21 2012-04-10 Elliptic Technologies Inc. Memory data transfer method and system
EP1801700B1 (de) 2005-12-23 2013-06-26 Texas Instruments Inc. System und Verfahren zur Verwendungsbegrenzung eines DMA Kanals
US7716389B1 (en) * 2006-03-17 2010-05-11 Bitmicro Networks, Inc. Direct memory access controller with encryption and decryption for non-blocking high bandwidth I/O transactions
US7533197B2 (en) * 2006-11-08 2009-05-12 Sicortex, Inc. System and method for remote direct memory access without page locking by the operating system
JP4347350B2 (ja) * 2007-02-15 2009-10-21 富士通株式会社 データ暗号転送装置、データ復号転送装置、データ暗号転送方法およびデータ復号転送方法
US20090287895A1 (en) * 2008-05-15 2009-11-19 Advanced Micro Devices Secure Memory Access System
CN101281577B (zh) * 2008-05-16 2010-06-23 北京工业大学 一种对bios进行保护的可信计算系统及其应用方法
US20110154023A1 (en) * 2009-12-21 2011-06-23 Smith Ned M Protected device management
AU2011275347A1 (en) * 2010-07-08 2013-02-07 Wyeth Llc Novel quinoline esters useful for treating skin disorders
KR101687439B1 (ko) * 2010-07-22 2016-12-16 나그라비젼 에스에이 소프트웨어 무결성을 보장하기위한 프로세서 실행 방법
US8954959B2 (en) * 2010-09-16 2015-02-10 Red Hat Israel, Ltd. Memory overcommit by using an emulated IOMMU in a computer system without a host IOMMU
JP2014500989A (ja) * 2010-09-28 2014-01-16 ヘッドウォーター パートナーズ I エルエルシー セキュア装置データレコード
US8972746B2 (en) * 2010-12-17 2015-03-03 Intel Corporation Technique for supporting multiple secure enclaves
US8631212B2 (en) * 2011-09-25 2014-01-14 Advanced Micro Devices, Inc. Input/output memory management unit with protection mode for preventing memory access by I/O devices
US9037511B2 (en) * 2011-09-29 2015-05-19 Amazon Technologies, Inc. Implementation of secure communications in a support system
JP5908991B2 (ja) * 2011-12-21 2016-04-26 インテル・コーポレーション 安全なダイレクトメモリアクセス
US9419972B2 (en) 2012-03-30 2016-08-16 Intel Corporation Two dimensional direct memory access scheme for enhanced network protocol processing performance
US9135446B2 (en) * 2012-09-28 2015-09-15 Intel Corporation Systems and methods to provide secure storage
US9268930B2 (en) * 2012-11-29 2016-02-23 Gilbarco Inc. Fuel dispenser user interface system architecture
US10887296B2 (en) * 2012-12-31 2021-01-05 Ncr Corporation Secure provisioning manifest for controlling peripherals attached to a computer
US9495544B2 (en) * 2013-06-27 2016-11-15 Visa International Service Association Secure data transmission and verification with untrusted computing devices
CN103793662A (zh) * 2013-12-12 2014-05-14 浪潮电子信息产业股份有限公司 一种可信平台下基于强制访问控制的安全运行方法
FR3019339B1 (fr) * 2014-03-25 2016-04-01 Commissariat Energie Atomique Procede de transfert de donnees entre taches temps reel utilisant un controleur memoire dma
US10552619B2 (en) * 2015-07-20 2020-02-04 Intel Corporation Technologies for secure trusted I/O access control
US10374805B2 (en) * 2015-07-20 2019-08-06 Intel Corporation Technologies for trusted I/O for multiple co-existing trusted execution environments under ISA control

Also Published As

Publication number Publication date
EP3326104B1 (de) 2019-10-09
CN108140094A (zh) 2018-06-08
WO2017014887A1 (en) 2017-01-26
US10552619B2 (en) 2020-02-04
CN108140094B (zh) 2022-05-13
US20170024569A1 (en) 2017-01-26
EP3326104A4 (de) 2019-03-20

Similar Documents

Publication Publication Date Title
EP3326104B1 (de) Technologien zur sicheren vertrauenswürdigen i/o-zugangskontrolle
EP3326103B1 (de) Technologien für sicheres i/o für mehrere koexistierende sichere ausführungsumgebungen unter isa-steuerung
EP3326105B1 (de) Technologien zur sicheren programmierung einer kryptografischen maschine für sichere e/a
US20200349265A1 (en) Technologies for trusted i/o with a channel identifier filter and processor-based cryptographic engine
US9698988B2 (en) Management control method, apparatus, and system for virtual machine
EP2657879B1 (de) Sicherheitskontrolliertes Multiprozessorsystem
US10079684B2 (en) Technologies for end-to-end biometric-based authentication and platform locality assertion
TWI703469B (zh) 安全輸入/輸出裝置管理設備、方法及系統
EP4610867A2 (de) Systeme und verfahren zur virtualisierung von prozessoren
US10250595B2 (en) Embedded trusted network security perimeter in computing systems based on ARM processors
US10938857B2 (en) Management of a distributed universally secure execution environment
JP7826192B2 (ja) プロセッサでのハイパーバイザのセキュアイベント処理
US10824766B2 (en) Technologies for authenticated USB device policy enforcement
Li et al. GSLAC: GPU Software Level Access Control for Information Isolation on Cloud Platforms
Yao et al. Device Security

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20180112

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20190219

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 21/57 20130101ALI20190213BHEP

Ipc: G06F 13/28 20060101ALI20190213BHEP

Ipc: G06F 21/60 20130101AFI20190213BHEP

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20190510

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602016022327

Country of ref document: DE

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1189671

Country of ref document: AT

Kind code of ref document: T

Effective date: 20191115

REG Reference to a national code

Ref country code: NL

Ref legal event code: FP

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1189671

Country of ref document: AT

Kind code of ref document: T

Effective date: 20191009

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200109

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200210

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200109

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200110

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200224

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602016022327

Country of ref document: DE

PG2D Information on lapse in contracting state deleted

Ref country code: IS

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200209

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

26N No opposition filed

Effective date: 20200710

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200620

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20200630

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200630

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200630

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200620

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200630

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191009

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230518

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20241129

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NL

Payment date: 20250107

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20250521

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20250522

Year of fee payment: 10